Industrial Cybersecurity and Process Safety: Bridging IEC 61511 and IEC 62443
Updated: Mar 12
In this article:
Exciting Opportunity! Join our upcoming webinar to learn more about cybersecurity in an industrial context, where we'll delve deeper than this article. Register here.
As Industrial Control Systems (ICS) and Operational Technology (OT) merge with corporate networks, the risk of cyber threats increases. Technologies like Artificial Intelligence (AI), cloud computing, and remote monitoring enhance efficiency but also introduce new vulnerabilities. Integrating cybersecurity risk assessments into the Process Safety Management (PSM) framework is essential to address these threats.
Cybersecurity for Process Facilities
Cybersecurity (often also referred to as cyber safety in the ICS/OT context) is getting increased attention from process facility owners and regulators. Geopolitics and the evolving threat landscape are increasing the risk. In addition, ICS/OT systems are becoming interconnected with corporate networks, also known as IT/OT convergence. This convergence, driven by technologies such as digital twins, data analytics, AI, cloud computing, remote monitoring, and automation (Industry 4.0), increases the exposure of ICS/OT systems to cybersecurity threats originating from external IT connections. These technologies enable improved operational efficiency, real-time monitoring, and advanced predictive capabilities but also introduce new attack vectors. Cybersecurity risk assessments should thus be included within the overall Process Safety Management (PSM) framework, evaluating cyber risks alongside traditional process hazards.
The integration of cybersecurity within PSM reflects an emerging best practice to identify cybersecurity risks that could lead to process safety incidents. For example, a cybersecurity incident that disrupts an emergency shutdown (ESD) system must be evaluated as a potential safety risk. Integrating cybersecurity into PSM ensures that cybersecurity measures are not isolated but incorporated as an integral part of the broader safety strategy.
This insight presents the use of key international standards relevant for managing cybersecurity for process plants.
How Cybersecurity is Related to IEC 61511
IEC 61511 is a standard widely used in the process industry for a risk-based framework for design and operation of safety instrumented systems (SIS). The standard was originally developed for classic process errors such as caused by equipment failures, human errors and operational hazards.
However, IEC 61511 also acknowledges the importance of cybersecurity in the context of process safety. Section 8.2.4 of IEC 61511-1 requires a security risk assessment (in addition to a regular Process Hazard Assessment (PHA)) when designing and engineering a process facility under the IEC 61511. This section references standards such as IEC 62443, ISA TR84.00.09, and ISO/IEC 27001 for detailed guidance. In other words, IEC 61511 requires considering cybersecurity for safety integrity but generally relies on IEC 62443 for specific cybersecurity practices.
A security risk assessment shall be carried out to identify the security vulnerabilities of the SIS (...) IEC 61511-1 (1)
To ensure a holistic approach to cybersecurity, it is therefore important to adapt and comply with both IEC 61511 and IEC 62443. Both standards provide a framework for a lifecycle approach to defining requirements, design and engineering of safety systems, and for maintaining integrity during operational phase.
Lifecycle Approach to Functional Safety and Cybersecurity
Both IEC 61511 (Functional Safety) and IEC 62443 (Cybersecurity) provide a risk-based framework with a lifecycle approach, whereas IEC 61511 focuses on safety system design, and IEC 62443 on protecting industrial automation and control systems, including safety systems for cybersecurity related hazards.
IEC 61511 divides the lifecycle approach to 11 phases. Phase 1-8 starts with identification of risks, then followed by allocation of and defining integrity requirements, design and engineering of safety systems, testing and verification prior to start-up, operational phase and decommissioning. In addition, the framework includes principles and requirements related to verification activities, safety lifecycle planning and to functional safety management (Phase 9-11).
IEC 62443 also includes a lifecycle approach, but not as clearly defined as in IEC 61511. The following table gives a comparison of lifecycle stages and main activities required to achieve compliance.
(swipe left or right horizontally to view the rest of the table)
When | Lifecycle Activity | Functional Safety (IEC 61511) | Cybersecurity (IEC 62443) |
Front End Engineering Design (FEED), i.e., prior to procuring equipment. | Hazard identification and allocation of safety functions/security levels. | (Phase 1-3)Example input:P&IDs, C&Es, risk acceptance criteria.Activity:Identify process hazards and associated risks to be managed. This is typically done with a Hazard and Operability Study (HAZOP). Assign Safety Instrumented Functions (SIFs) to protection layers to reduce risks to an acceptable level. Layers of Protection Analysis (LOPA) is one of the normal methods used for allocating integrity requirements. Safety Instrumented Functions (SIFs) are defined as Safety Integrity Level (SIL) 1-4, depending on criticality and risk. The higher SIL, the stricter SIL requirements. Safety functions with no SIL requirement can be designed outside of IEC 61511 framework.Output:Process risk register and a Safety Requirements Specification (SRS). | (Assess phase)Example input:Network topology diagrams / Purdue diagrams, risk acceptance criteria.Activity:Identify cyber threats and associated risks to be managed. IEC 62443-3-2 presents a cybersecurity risk assessment methodology that is used to define Target Security Level (SL-T), defined from SL 1 to SL 4 gives the strictest design and operability requirements. The SL-T will typically drive the requirement for a complete system, such as a Safety Instrumented System, Process Control System (PCS), or similar.The cyber security risk assessment is risk-based (as a HAZOP/LOPA) but is typically using a semi-quantitative approach as frequencies for cybersecurity events if challenging to obtain.Output:Cybersecurity risk assessment and Cybersecurity requirements specification (CSRS). |
Design and engineering (procurement of equipment and verification that requirements are met). | Develop and implement phase. | Phase (4-5)Example of input:SRS, vendor documentation (e.g., safety manuals), Commissioning procedures.Activity:Equipment is procured and vendor documentation assessed, reliability evaluations performed to confirm that SIL requirements are met (both on SIF level and safety system level). During commissioning, key integrity and functional requirements are tested to verify robustness and functionality prior to operational phase.Output:SIL Verification and confirmed commissioning tests | (Develop and implement phase)Example of input:CSRS, vendor documentation (e.g., safety manuals), commissioning procedures.Activity:Implement security measures as required by the CSRS to mitigate identified cyber threats. The product developer will both align with IEC 62443-4-1/-4-2 and the asset specific CSRS. The supplier will ensure and document that the process control and safety systems have designed countermeasures to prevent unauthorized access, detect malicious activities and measures to allow efficient and robust response to cyber incidents.Output:CSRS compliance documentation (such as using a compliance matrix) and confirmed commissioning tests. |
Operational phase. | Integration of requirements. | (Phase 6-8)Example of input:SRS, test records.Activity:During operational phase, the asset owner needs to conduct regular testing of safety instrumented functions/systems according to requirements defined by the SRS, such as response time requirements, test intervals, acceptable leak rates, etc. The output shall be used to adjust test regime, evaluate need for changing out equipment. Periodic risk assessments (e.g. Re-HAZOP/LOPA) should be done to ensure that the system always meet the risk acceptance criteria.Output:Barrier status, period risk reviews. | (Maintain phase)Example of input:CSRSActivity:During the operational phase, the asset owner should have a robust system for security monitoring, to be able to detect and mitigate security breaches, including an incident response plan.Periodic risk assessments should be done to identify new risks, and to ensure that the risk is sufficiently mitigated. This is important for cybersecurity threats, as the threat agent's sophistication and tactics evolve over time.Regular audits and compliance reviews should also be performed to ensure compliance.Output:Periodic risk assessments, regular audits, incident response plan. |
As IT and OT systems increasingly converge, aligning cybersecurity with functional safety is becoming essential. IEC 61511 emphasizes the role of the SIS and advocates for addressing cybersecurity risks that could affect safety. To achieve this, organizations should:
Conduct combined safety and cybersecurity risk assessments with multidisciplinary teams;
Implement a defense-in-depth architecture – a layered security approach - to mitigate cyber vulnerabilities;
Regularly update policies, procedures, and training to address emerging threats.
For example, a defense-in-depth strategy could combine IEC 61511's requirement for robust SIS design with IEC 62443's specifications for access control and network segmentation. Leveraging IEC 62443 for specific cybersecurity controls alongside IEC 61511 ensures a comprehensive approach to protecting ICS and OT systems. Real-time monitoring further enhances this protection by enabling swift detection and response to cybersecurity threats, minimizing disruptions to safety systems. By aligning cybersecurity practices with IEC 61511, organizations can safeguard personnel, protect critical assets, and enhance overall operational resilience.
References
International Electrotechnical Commission. Functional Safety - Safety Instrumented Systems for the Process Industry Sector Part 1: Framework, Definitions, System, Hardware and Application Programming Requirements. 2016. Section 8.2.4. IEC 61511.
